/*- * Copyright (c) 2008-2009 Edward Tomasz NapieraƂa * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ /* * ACL support routines specific to NFSv4 access control lists. These are * utility routines for code common across file systems implementing NFSv4 * ACLs. */ #ifdef _KERNEL #include __FBSDID("$FreeBSD$"); #include #include #include #include #include #include #include #include #else #include #include #include #include #define KASSERT(a, b) assert(a) #define CTASSERT(a) #endif /* _KERNEL */ #ifdef _KERNEL static struct { accmode_t accmode; int mask; } accmode2mask[] = {{VREAD, ACL_READ_DATA}, {VWRITE, ACL_WRITE_DATA}, {VAPPEND, ACL_APPEND_DATA}, {VEXEC, ACL_EXECUTE}, {VREAD_NAMED_ATTRS, ACL_READ_NAMED_ATTRS}, {VWRITE_NAMED_ATTRS, ACL_WRITE_NAMED_ATTRS}, {VDELETE_CHILD, ACL_DELETE_CHILD}, {VREAD_ATTRIBUTES, ACL_READ_ATTRIBUTES}, {VWRITE_ATTRIBUTES, ACL_WRITE_ATTRIBUTES}, {VDELETE, ACL_DELETE}, {VREAD_ACL, ACL_READ_ACL}, {VWRITE_ACL, ACL_WRITE_ACL}, {VWRITE_OWNER, ACL_WRITE_OWNER}, {VSYNCHRONIZE, ACL_SYNCHRONIZE}, {0, 0}}; static int _access_mask_from_accmode(accmode_t accmode) { int access_mask = 0, i; for (i = 0; accmode2mask[i].accmode != 0; i++) { if (accmode & accmode2mask[i].accmode) access_mask |= accmode2mask[i].mask; } /* * VAPPEND is just a modifier for VWRITE; if the caller asked * for 'VAPPEND | VWRITE', we want to check for ACL_APPEND_DATA only. */ if (access_mask & ACL_APPEND_DATA) access_mask &= ~ACL_WRITE_DATA; return (access_mask); } /* * Return 0, iff access is allowed, 1 otherwise. */ static int _acl_denies(const struct acl *aclp, int access_mask, struct ucred *cred, int file_uid, int file_gid, int *denied_explicitly) { int i; const struct acl_entry *entry; if (denied_explicitly != NULL) *denied_explicitly = 0; KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); for (i = 0; i < aclp->acl_cnt; i++) { entry = &(aclp->acl_entry[i]); if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) continue; if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) continue; switch (entry->ae_tag) { case ACL_USER_OBJ: if (file_uid != cred->cr_uid) continue; break; case ACL_USER: if (entry->ae_id != cred->cr_uid) continue; break; case ACL_GROUP_OBJ: if (!groupmember(file_gid, cred)) continue; break; case ACL_GROUP: if (!groupmember(entry->ae_id, cred)) continue; break; default: KASSERT(entry->ae_tag == ACL_EVERYONE, ("entry->ae_tag == ACL_EVERYONE")); } if (entry->ae_entry_type == ACL_ENTRY_TYPE_DENY) { if (entry->ae_perm & access_mask) { if (denied_explicitly != NULL) *denied_explicitly = 1; return (1); } } access_mask &= ~(entry->ae_perm); if (access_mask == 0) return (0); } return (1); } int vaccess_acl_nfs4(enum vtype type, uid_t file_uid, gid_t file_gid, struct acl *aclp, accmode_t accmode, struct ucred *cred, int *privused) { accmode_t priv_granted = 0; int denied, explicitly_denied, access_mask, is_directory, must_be_owner = 0; mode_t file_mode = 0; KASSERT((accmode & ~(VEXEC | VWRITE | VREAD | VADMIN | VAPPEND | VEXPLICIT_DENY | VREAD_NAMED_ATTRS | VWRITE_NAMED_ATTRS | VDELETE_CHILD | VREAD_ATTRIBUTES | VWRITE_ATTRIBUTES | VDELETE | VREAD_ACL | VWRITE_ACL | VWRITE_OWNER | VSYNCHRONIZE)) == 0, ("invalid bit in accmode")); KASSERT((accmode & VAPPEND) == 0 || (accmode & VWRITE), ("VAPPEND without VWRITE")); if (privused != NULL) *privused = 0; if (accmode & VADMIN) must_be_owner = 1; /* * Ignore VSYNCHRONIZE permission. */ accmode &= ~VSYNCHRONIZE; access_mask = _access_mask_from_accmode(accmode); if (type == VDIR) is_directory = 1; else is_directory = 0; /* * File owner is always allowed to read and write the ACL * and basic attributes. This is to prevent a situation * where user would change ACL in a way that prevents him * from undoing the change. */ if (file_uid == cred->cr_uid) access_mask &= ~(ACL_READ_ACL | ACL_WRITE_ACL | ACL_READ_ATTRIBUTES | ACL_WRITE_ATTRIBUTES); /* * Ignore append permission for regular files; use write * permission instead. */ if (!is_directory && (access_mask & ACL_APPEND_DATA)) { access_mask &= ~ACL_APPEND_DATA; access_mask |= ACL_WRITE_DATA; } denied = _acl_denies(aclp, access_mask, cred, file_uid, file_gid, &explicitly_denied); if (must_be_owner) { if (file_uid != cred->cr_uid) denied = EPERM; } /* * For VEXEC, ensure that at least one execute bit is set for * non-directories. We have to check the mode here to stay * consistent with execve(2). See the test in * exec_check_permissions(). */ acl_nfs4_sync_mode_from_acl(&file_mode, aclp); if (!denied && !is_directory && (accmode & VEXEC) && (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0) denied = EACCES; if (!denied) return (0); /* * Access failed. Iff it was not denied explicitly and * VEXPLICIT_DENY flag was specified, allow access. */ if ((accmode & VEXPLICIT_DENY) && explicitly_denied == 0) return (0); accmode &= ~VEXPLICIT_DENY; /* * No match. Try to use privileges, if there are any. */ if (is_directory) { if ((accmode & VEXEC) && !priv_check_cred(cred, PRIV_VFS_LOOKUP, 0)) priv_granted |= VEXEC; } else { /* * Ensure that at least one execute bit is on. Otherwise, * a privileged user will always succeed, and we don't want * this to happen unless the file really is executable. */ if ((accmode & VEXEC) && (file_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) != 0 && !priv_check_cred(cred, PRIV_VFS_EXEC, 0)) priv_granted |= VEXEC; } if ((accmode & VREAD) && !priv_check_cred(cred, PRIV_VFS_READ, 0)) priv_granted |= VREAD; if ((accmode & (VWRITE | VAPPEND | VDELETE_CHILD)) && !priv_check_cred(cred, PRIV_VFS_WRITE, 0)) priv_granted |= (VWRITE | VAPPEND | VDELETE_CHILD); if ((accmode & VADMIN_PERMS) && !priv_check_cred(cred, PRIV_VFS_ADMIN, 0)) priv_granted |= VADMIN_PERMS; if ((accmode & VSTAT_PERMS) && !priv_check_cred(cred, PRIV_VFS_STAT, 0)) priv_granted |= VSTAT_PERMS; if ((accmode & priv_granted) == accmode) { if (privused != NULL) *privused = 1; return (0); } if (accmode & (VADMIN_PERMS | VDELETE_CHILD | VDELETE)) denied = EPERM; else denied = EACCES; return (denied); } #endif /* _KERNEL */ static int _acl_entry_matches(struct acl_entry *entry, acl_tag_t tag, acl_perm_t perm, acl_entry_type_t entry_type) { if (entry->ae_tag != tag) return (0); if (entry->ae_id != ACL_UNDEFINED_ID) return (0); if (entry->ae_perm != perm) return (0); if (entry->ae_entry_type != entry_type) return (0); if (entry->ae_flags != 0) return (0); return (1); } static struct acl_entry * _acl_append(struct acl *aclp, acl_tag_t tag, acl_perm_t perm, acl_entry_type_t entry_type) { struct acl_entry *entry; KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); entry = &(aclp->acl_entry[aclp->acl_cnt]); aclp->acl_cnt++; entry->ae_tag = tag; entry->ae_id = ACL_UNDEFINED_ID; entry->ae_perm = perm; entry->ae_entry_type = entry_type; entry->ae_flags = 0; return (entry); } static struct acl_entry * _acl_duplicate_entry(struct acl *aclp, int entry_index) { int i; KASSERT(aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, ("aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); for (i = aclp->acl_cnt; i > entry_index; i--) aclp->acl_entry[i] = aclp->acl_entry[i - 1]; aclp->acl_cnt++; return (&(aclp->acl_entry[entry_index + 1])); } /* * Calculate trivial ACL in a manner compatible with PSARC/2010/029. * Note that this results in an ACL different from (but semantically * equal to) the "canonical six" trivial ACL computed using algorithm * described in draft-ietf-nfsv4-minorversion1-03.txt, 3.16.6.2. */ void acl_nfs4_trivial_from_mode(struct acl *aclp, mode_t mode) { acl_perm_t user_allow_first = 0, user_deny = 0, group_deny = 0; acl_perm_t user_allow, group_allow, everyone_allow; KASSERT(aclp->acl_cnt == 0, ("aclp->acl_cnt == 0")); user_allow = group_allow = everyone_allow = ACL_READ_ACL | ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE; user_allow |= ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | ACL_WRITE_NAMED_ATTRS; if (mode & S_IRUSR) user_allow |= ACL_READ_DATA; if (mode & S_IWUSR) user_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); if (mode & S_IXUSR) user_allow |= ACL_EXECUTE; if (mode & S_IRGRP) group_allow |= ACL_READ_DATA; if (mode & S_IWGRP) group_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); if (mode & S_IXGRP) group_allow |= ACL_EXECUTE; if (mode & S_IROTH) everyone_allow |= ACL_READ_DATA; if (mode & S_IWOTH) everyone_allow |= (ACL_WRITE_DATA | ACL_APPEND_DATA); if (mode & S_IXOTH) everyone_allow |= ACL_EXECUTE; user_deny = ((group_allow | everyone_allow) & ~user_allow); group_deny = everyone_allow & ~group_allow; user_allow_first = group_deny & ~user_deny; if (user_allow_first != 0) _acl_append(aclp, ACL_USER_OBJ, user_allow_first, ACL_ENTRY_TYPE_ALLOW); if (user_deny != 0) _acl_append(aclp, ACL_USER_OBJ, user_deny, ACL_ENTRY_TYPE_DENY); if (group_deny != 0) _acl_append(aclp, ACL_GROUP_OBJ, group_deny, ACL_ENTRY_TYPE_DENY); _acl_append(aclp, ACL_USER_OBJ, user_allow, ACL_ENTRY_TYPE_ALLOW); _acl_append(aclp, ACL_GROUP_OBJ, group_allow, ACL_ENTRY_TYPE_ALLOW); _acl_append(aclp, ACL_EVERYONE, everyone_allow, ACL_ENTRY_TYPE_ALLOW); } void acl_nfs4_sync_acl_from_mode(struct acl *aclp, mode_t mode, int file_owner_id) { int i, meets, must_append; struct acl_entry *entry, *copy, *previous, *a1, *a2, *a3, *a4, *a5, *a6; mode_t amode; const int READ = 04; const int WRITE = 02; const int EXEC = 01; KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); /* * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt * * 3.16.6.3. Applying a Mode to an Existing ACL */ /* * 1. For each ACE: */ for (i = 0; i < aclp->acl_cnt; i++) { entry = &(aclp->acl_entry[i]); /* * 1.1. If the type is neither ALLOW or DENY - skip. */ if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) continue; /* * 1.2. If ACL_ENTRY_INHERIT_ONLY is set - skip. */ if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) continue; /* * 1.3. If ACL_ENTRY_FILE_INHERIT or ACL_ENTRY_DIRECTORY_INHERIT * are set: */ if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT)) { /* * 1.3.1. A copy of the current ACE is made, and placed * in the ACL immediately following the current * ACE. */ copy = _acl_duplicate_entry(aclp, i); /* * 1.3.2. In the first ACE, the flag * ACL_ENTRY_INHERIT_ONLY is set. */ entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; /* * 1.3.3. In the second ACE, the following flags * are cleared: * ACL_ENTRY_FILE_INHERIT, * ACL_ENTRY_DIRECTORY_INHERIT, * ACL_ENTRY_NO_PROPAGATE_INHERIT. */ copy->ae_flags &= ~(ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | ACL_ENTRY_NO_PROPAGATE_INHERIT); /* * The algorithm continues on with the second ACE. */ i++; entry = copy; } /* * 1.4. If it's owner@, group@ or everyone@ entry, clear * ACL_READ_DATA, ACL_WRITE_DATA, ACL_APPEND_DATA * and ACL_EXECUTE. Continue to the next entry. */ if (entry->ae_tag == ACL_USER_OBJ || entry->ae_tag == ACL_GROUP_OBJ || entry->ae_tag == ACL_EVERYONE) { entry->ae_perm &= ~(ACL_READ_DATA | ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE); continue; } /* * 1.5. Otherwise, if the "who" field did not match one * of OWNER@, GROUP@, EVERYONE@: * * 1.5.1. If the type is ALLOW, check the preceding ACE. * If it does not meet all of the following criteria: */ if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW) continue; meets = 0; if (i > 0) { meets = 1; previous = &(aclp->acl_entry[i - 1]); /* * 1.5.1.1. The type field is DENY, */ if (previous->ae_entry_type != ACL_ENTRY_TYPE_DENY) meets = 0; /* * 1.5.1.2. The "who" field is the same as the current * ACE, * * 1.5.1.3. The flag bit ACE4_IDENTIFIER_GROUP * is the same as it is in the current ACE, * and no other flag bits are set, */ if (previous->ae_id != entry->ae_id || previous->ae_tag != entry->ae_tag) meets = 0; if (previous->ae_flags) meets = 0; /* * 1.5.1.4. The mask bits are a subset of the mask bits * of the current ACE, and are also subset of * the following: ACL_READ_DATA, * ACL_WRITE_DATA, ACL_APPEND_DATA, ACL_EXECUTE */ if (previous->ae_perm & ~(entry->ae_perm)) meets = 0; if (previous->ae_perm & ~(ACL_READ_DATA | ACL_WRITE_DATA | ACL_APPEND_DATA | ACL_EXECUTE)) meets = 0; } if (!meets) { /* * Then the ACE of type DENY, with a who equal * to the current ACE, flag bits equal to * ( & ) * and no mask bits, is prepended. */ previous = entry; entry = _acl_duplicate_entry(aclp, i); /* Adjust counter, as we've just added an entry. */ i++; previous->ae_tag = entry->ae_tag; previous->ae_id = entry->ae_id; previous->ae_flags = entry->ae_flags; previous->ae_perm = 0; previous->ae_entry_type = ACL_ENTRY_TYPE_DENY; } /* * 1.5.2. The following modifications are made to the prepended * ACE. The intent is to mask the following ACE * to disallow ACL_READ_DATA, ACL_WRITE_DATA, * ACL_APPEND_DATA, or ACL_EXECUTE, based upon the group * permissions of the new mode. As a special case, * if the ACE matches the current owner of the file, * the owner bits are used, rather than the group bits. * This is reflected in the algorithm below. */ amode = mode >> 3; /* * If ACE4_IDENTIFIER_GROUP is not set, and the "who" field * in ACE matches the owner of the file, we shift amode three * more bits, in order to have the owner permission bits * placed in the three low order bits of amode. */ if (entry->ae_tag == ACL_USER && entry->ae_id == file_owner_id) amode = amode >> 3; if (entry->ae_perm & ACL_READ_DATA) { if (amode & READ) previous->ae_perm &= ~ACL_READ_DATA; else previous->ae_perm |= ACL_READ_DATA; } if (entry->ae_perm & ACL_WRITE_DATA) { if (amode & WRITE) previous->ae_perm &= ~ACL_WRITE_DATA; else previous->ae_perm |= ACL_WRITE_DATA; } if (entry->ae_perm & ACL_APPEND_DATA) { if (amode & WRITE) previous->ae_perm &= ~ACL_APPEND_DATA; else previous->ae_perm |= ACL_APPEND_DATA; } if (entry->ae_perm & ACL_EXECUTE) { if (amode & EXEC) previous->ae_perm &= ~ACL_EXECUTE; else previous->ae_perm |= ACL_EXECUTE; } /* * 1.5.3. If ACE4_IDENTIFIER_GROUP is set in the flags * of the ALLOW ace: * * XXX: This point is not there in the Falkner's draft. */ if (entry->ae_tag == ACL_GROUP && entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) { mode_t extramode, ownermode; extramode = (mode >> 3) & 07; ownermode = mode >> 6; extramode &= ~ownermode; if (extramode) { if (extramode & READ) { entry->ae_perm &= ~ACL_READ_DATA; previous->ae_perm &= ~ACL_READ_DATA; } if (extramode & WRITE) { entry->ae_perm &= ~(ACL_WRITE_DATA | ACL_APPEND_DATA); previous->ae_perm &= ~(ACL_WRITE_DATA | ACL_APPEND_DATA); } if (extramode & EXEC) { entry->ae_perm &= ~ACL_EXECUTE; previous->ae_perm &= ~ACL_EXECUTE; } } } } /* * 2. If there at least six ACEs, the final six ACEs are examined. * If they are not equal to what we want, append six ACEs. */ must_append = 0; if (aclp->acl_cnt < 6) { must_append = 1; } else { a6 = &(aclp->acl_entry[aclp->acl_cnt - 1]); a5 = &(aclp->acl_entry[aclp->acl_cnt - 2]); a4 = &(aclp->acl_entry[aclp->acl_cnt - 3]); a3 = &(aclp->acl_entry[aclp->acl_cnt - 4]); a2 = &(aclp->acl_entry[aclp->acl_cnt - 5]); a1 = &(aclp->acl_entry[aclp->acl_cnt - 6]); if (!_acl_entry_matches(a1, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY)) must_append = 1; if (!_acl_entry_matches(a2, ACL_USER_OBJ, ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW)) must_append = 1; if (!_acl_entry_matches(a3, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY)) must_append = 1; if (!_acl_entry_matches(a4, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW)) must_append = 1; if (!_acl_entry_matches(a5, ACL_EVERYONE, ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY)) must_append = 1; if (!_acl_entry_matches(a6, ACL_EVERYONE, ACL_READ_ACL | ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW)) must_append = 1; } if (must_append) { KASSERT(aclp->acl_cnt + 6 <= ACL_MAX_ENTRIES, ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); a1 = _acl_append(aclp, ACL_USER_OBJ, 0, ACL_ENTRY_TYPE_DENY); a2 = _acl_append(aclp, ACL_USER_OBJ, ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_ALLOW); a3 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_DENY); a4 = _acl_append(aclp, ACL_GROUP_OBJ, 0, ACL_ENTRY_TYPE_ALLOW); a5 = _acl_append(aclp, ACL_EVERYONE, ACL_WRITE_ACL | ACL_WRITE_OWNER | ACL_WRITE_ATTRIBUTES | ACL_WRITE_NAMED_ATTRS, ACL_ENTRY_TYPE_DENY); a6 = _acl_append(aclp, ACL_EVERYONE, ACL_READ_ACL | ACL_READ_ATTRIBUTES | ACL_READ_NAMED_ATTRS | ACL_SYNCHRONIZE, ACL_ENTRY_TYPE_ALLOW); KASSERT(a1 != NULL && a2 != NULL && a3 != NULL && a4 != NULL && a5 != NULL && a6 != NULL, ("couldn't append to ACL.")); } /* * 3. The final six ACEs are adjusted according to the incoming mode. */ if (mode & S_IRUSR) a2->ae_perm |= ACL_READ_DATA; else a1->ae_perm |= ACL_READ_DATA; if (mode & S_IWUSR) a2->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); else a1->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); if (mode & S_IXUSR) a2->ae_perm |= ACL_EXECUTE; else a1->ae_perm |= ACL_EXECUTE; if (mode & S_IRGRP) a4->ae_perm |= ACL_READ_DATA; else a3->ae_perm |= ACL_READ_DATA; if (mode & S_IWGRP) a4->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); else a3->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); if (mode & S_IXGRP) a4->ae_perm |= ACL_EXECUTE; else a3->ae_perm |= ACL_EXECUTE; if (mode & S_IROTH) a6->ae_perm |= ACL_READ_DATA; else a5->ae_perm |= ACL_READ_DATA; if (mode & S_IWOTH) a6->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); else a5->ae_perm |= (ACL_WRITE_DATA | ACL_APPEND_DATA); if (mode & S_IXOTH) a6->ae_perm |= ACL_EXECUTE; else a5->ae_perm |= ACL_EXECUTE; } void acl_nfs4_sync_mode_from_acl(mode_t *_mode, const struct acl *aclp) { int i; mode_t old_mode = *_mode, mode = 0, seen = 0; const struct acl_entry *entry; KASSERT(aclp->acl_cnt > 0, ("aclp->acl_cnt > 0")); KASSERT(aclp->acl_cnt <= ACL_MAX_ENTRIES, ("aclp->acl_cnt <= ACL_MAX_ENTRIES")); /* * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt * * 3.16.6.1. Recomputing mode upon SETATTR of ACL */ for (i = 0; i < aclp->acl_cnt; i++) { entry = &(aclp->acl_entry[i]); if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) continue; if (entry->ae_flags & ACL_ENTRY_INHERIT_ONLY) continue; if (entry->ae_tag == ACL_USER_OBJ) { if ((entry->ae_perm & ACL_READ_DATA) && ((seen & S_IRUSR) == 0)) { seen |= S_IRUSR; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IRUSR; } if ((entry->ae_perm & ACL_WRITE_DATA) && ((seen & S_IWUSR) == 0)) { seen |= S_IWUSR; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IWUSR; } if ((entry->ae_perm & ACL_EXECUTE) && ((seen & S_IXUSR) == 0)) { seen |= S_IXUSR; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IXUSR; } } else if (entry->ae_tag == ACL_GROUP_OBJ) { if ((entry->ae_perm & ACL_READ_DATA) && ((seen & S_IRGRP) == 0)) { seen |= S_IRGRP; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IRGRP; } if ((entry->ae_perm & ACL_WRITE_DATA) && ((seen & S_IWGRP) == 0)) { seen |= S_IWGRP; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IWGRP; } if ((entry->ae_perm & ACL_EXECUTE) && ((seen & S_IXGRP) == 0)) { seen |= S_IXGRP; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IXGRP; } } else if (entry->ae_tag == ACL_EVERYONE) { if (entry->ae_perm & ACL_READ_DATA) { if ((seen & S_IRUSR) == 0) { seen |= S_IRUSR; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IRUSR; } if ((seen & S_IRGRP) == 0) { seen |= S_IRGRP; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IRGRP; } if ((seen & S_IROTH) == 0) { seen |= S_IROTH; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IROTH; } } if (entry->ae_perm & ACL_WRITE_DATA) { if ((seen & S_IWUSR) == 0) { seen |= S_IWUSR; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IWUSR; } if ((seen & S_IWGRP) == 0) { seen |= S_IWGRP; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IWGRP; } if ((seen & S_IWOTH) == 0) { seen |= S_IWOTH; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IWOTH; } } if (entry->ae_perm & ACL_EXECUTE) { if ((seen & S_IXUSR) == 0) { seen |= S_IXUSR; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IXUSR; } if ((seen & S_IXGRP) == 0) { seen |= S_IXGRP; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IXGRP; } if ((seen & S_IXOTH) == 0) { seen |= S_IXOTH; if (entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) mode |= S_IXOTH; } } } } *_mode = mode | (old_mode & ACL_PRESERVE_MASK); } void acl_nfs4_compute_inherited_acl(const struct acl *parent_aclp, struct acl *child_aclp, mode_t mode, int file_owner_id, int is_directory) { int i, flags; const struct acl_entry *parent_entry; struct acl_entry *entry, *copy; KASSERT(child_aclp->acl_cnt == 0, ("child_aclp->acl_cnt == 0")); KASSERT(parent_aclp->acl_cnt > 0, ("parent_aclp->acl_cnt > 0")); KASSERT(parent_aclp->acl_cnt <= ACL_MAX_ENTRIES, ("parent_aclp->acl_cnt <= ACL_MAX_ENTRIES")); /* * NFSv4 Minor Version 1, draft-ietf-nfsv4-minorversion1-03.txt * * 3.16.6.2. Applying the mode given to CREATE or OPEN * to an inherited ACL */ /* * 1. Form an ACL that is the concatenation of all inheritable ACEs. */ for (i = 0; i < parent_aclp->acl_cnt; i++) { parent_entry = &(parent_aclp->acl_entry[i]); flags = parent_entry->ae_flags; /* * Entry is not inheritable at all. */ if ((flags & (ACL_ENTRY_DIRECTORY_INHERIT | ACL_ENTRY_FILE_INHERIT)) == 0) continue; /* * We're creating a file, but entry is not inheritable * by files. */ if (!is_directory && (flags & ACL_ENTRY_FILE_INHERIT) == 0) continue; /* * Entry is inheritable only by files, but has NO_PROPAGATE * flag set, and we're creating a directory, so it wouldn't * propagate to any file in that directory anyway. */ if (is_directory && (flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0 && (flags & ACL_ENTRY_NO_PROPAGATE_INHERIT)) continue; KASSERT(child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES, ("child_aclp->acl_cnt + 1 <= ACL_MAX_ENTRIES")); child_aclp->acl_entry[child_aclp->acl_cnt] = *parent_entry; child_aclp->acl_cnt++; } /* * 2. For each entry in the new ACL, adjust its flags, possibly * creating two entries in place of one. */ for (i = 0; i < child_aclp->acl_cnt; i++) { entry = &(child_aclp->acl_entry[i]); /* * This is not in the specification, but SunOS * apparently does that. */ if (((entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT) || !is_directory) && entry->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) entry->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); /* * 2.A. If the ACL_ENTRY_NO_PROPAGATE_INHERIT is set, or if the object * being created is not a directory, then clear the * following flags: ACL_ENTRY_NO_PROPAGATE_INHERIT, * ACL_ENTRY_FILE_INHERIT, ACL_ENTRY_DIRECTORY_INHERIT, * ACL_ENTRY_INHERIT_ONLY. */ if (entry->ae_flags & ACL_ENTRY_NO_PROPAGATE_INHERIT || !is_directory) { entry->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | ACL_ENTRY_INHERIT_ONLY); /* * Continue on to the next ACE. */ continue; } /* * 2.B. If the object is a directory and ACL_ENTRY_FILE_INHERIT * is set, but ACL_ENTRY_NO_PROPAGATE_INHERIT is not set, ensure * that ACL_ENTRY_INHERIT_ONLY is set. Continue to the * next ACE. Otherwise... */ /* * XXX: Read it again and make sure what does the "otherwise" * apply to. */ if (is_directory && (entry->ae_flags & ACL_ENTRY_FILE_INHERIT) && ((entry->ae_flags & ACL_ENTRY_DIRECTORY_INHERIT) == 0)) { entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; continue; } /* * 2.C. If the type of the ACE is neither ALLOW nor deny, * then continue. */ if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) continue; /* * 2.D. Copy the original ACE into a second, adjacent ACE. */ copy = _acl_duplicate_entry(child_aclp, i); /* * 2.E. On the first ACE, ensure that ACL_ENTRY_INHERIT_ONLY * is set. */ entry->ae_flags |= ACL_ENTRY_INHERIT_ONLY; /* * 2.F. On the second ACE, clear the following flags: * ACL_ENTRY_NO_PROPAGATE_INHERIT, ACL_ENTRY_FILE_INHERIT, * ACL_ENTRY_DIRECTORY_INHERIT, ACL_ENTRY_INHERIT_ONLY. */ copy->ae_flags &= ~(ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | ACL_ENTRY_INHERIT_ONLY); /* * 2.G. On the second ACE, if the type is ALLOW, * an implementation MAY clear the following * mask bits: ACL_WRITE_ACL, ACL_WRITE_OWNER. */ if (copy->ae_entry_type == ACL_ENTRY_TYPE_ALLOW) copy->ae_perm &= ~(ACL_WRITE_ACL | ACL_WRITE_OWNER); /* * Increment the counter to skip the copied entry. */ i++; } /* * 3. To ensure that the mode is honored, apply the algorithm describe * in Section 2.16.6.3, using the mode that is to be used for file * creation. */ acl_nfs4_sync_acl_from_mode(child_aclp, mode, file_owner_id); } #ifdef _KERNEL static int _acls_are_equal(const struct acl *a, const struct acl *b) { int i; const struct acl_entry *entrya, *entryb; if (a->acl_cnt != b->acl_cnt) return (0); for (i = 0; i < b->acl_cnt; i++) { entrya = &(a->acl_entry[i]); entryb = &(b->acl_entry[i]); if (entrya->ae_tag != entryb->ae_tag || entrya->ae_id != entryb->ae_id || entrya->ae_perm != entryb->ae_perm || entrya->ae_entry_type != entryb->ae_entry_type || entrya->ae_flags != entryb->ae_flags) return (0); } return (1); } /* * This routine is used to determine whether to remove extended attribute * that stores ACL contents. */ int acl_nfs4_is_trivial(const struct acl *aclp, int file_owner_id) { int trivial; mode_t tmpmode = 0; struct acl *tmpaclp; if (aclp->acl_cnt != 6) return (0); /* * Compute the mode from the ACL, then compute new ACL from that mode. * If the ACLs are identical, then the ACL is trivial. * * XXX: I guess there is a faster way to do this. However, even * this slow implementation significantly speeds things up * for files that don't have non-trivial ACLs - it's critical * for performance to not use EA when they are not needed. */ tmpaclp = acl_alloc(M_WAITOK | M_ZERO); acl_nfs4_sync_mode_from_acl(&tmpmode, aclp); acl_nfs4_sync_acl_from_mode(tmpaclp, tmpmode, file_owner_id); trivial = _acls_are_equal(aclp, tmpaclp); acl_free(tmpaclp); return (trivial); } #endif /* _KERNEL */ int acl_nfs4_check(const struct acl *aclp, int is_directory) { int i; const struct acl_entry *entry; /* * The spec doesn't seem to say anything about ACL validity. * It seems there is not much to do here. There is even no need * to count "owner@" or "everyone@" (ACL_USER_OBJ and ACL_EVERYONE) * entries, as there can be several of them and that's perfectly * valid. There can be none of them too. Really. */ if (aclp->acl_cnt > ACL_MAX_ENTRIES || aclp->acl_cnt <= 0) return (EINVAL); for (i = 0; i < aclp->acl_cnt; i++) { entry = &(aclp->acl_entry[i]); switch (entry->ae_tag) { case ACL_USER_OBJ: case ACL_GROUP_OBJ: case ACL_EVERYONE: if (entry->ae_id != ACL_UNDEFINED_ID) return (EINVAL); break; case ACL_USER: case ACL_GROUP: if (entry->ae_id == ACL_UNDEFINED_ID) return (EINVAL); break; default: return (EINVAL); } if ((entry->ae_perm | ACL_NFS4_PERM_BITS) != ACL_NFS4_PERM_BITS) return (EINVAL); /* * Disallow ACL_ENTRY_TYPE_AUDIT and ACL_ENTRY_TYPE_ALARM for now. */ if (entry->ae_entry_type != ACL_ENTRY_TYPE_ALLOW && entry->ae_entry_type != ACL_ENTRY_TYPE_DENY) return (EINVAL); if ((entry->ae_flags | ACL_FLAGS_BITS) != ACL_FLAGS_BITS) return (EINVAL); /* Disallow unimplemented flags. */ if (entry->ae_flags & (ACL_ENTRY_SUCCESSFUL_ACCESS | ACL_ENTRY_FAILED_ACCESS)) return (EINVAL); /* Disallow flags not allowed for ordinary files. */ if (!is_directory) { if (entry->ae_flags & (ACL_ENTRY_FILE_INHERIT | ACL_ENTRY_DIRECTORY_INHERIT | ACL_ENTRY_NO_PROPAGATE_INHERIT | ACL_ENTRY_INHERIT_ONLY)) return (EINVAL); } } return (0); }